What are your key security-related questions with WCF?  More importantly, what are the answers?  For this week's release of our WCF Security Guidance Project, we posted our WCF Security Q&A (Questions and Answers) to CodePlex. 

To create the questions and answers set, we first gathered and organized recurring questions from our field, support, customers and forums.  We then worked through to create precise answers.  What you get is a browsable collection of questions and answers, organized by our security frame.   The security frame maps to actionable categories of your application.

Here's a snapshot of the questions from our Q&A, but you can see our answers explained at our WCF Security Guidance project site.

Design Considerations

• How do I decide on an authentication strategy?
• How do I decide on an authorization strategy?
• When should I use message security vs. transport security?
• How do I use my existing Active Directory infrastructure?
• What bindings should I use over the Internet?
• What bindings should I use over the Intranet?
• When should I use resource-based authorization vs. roles-based authorization?
• When should I impersonate the original caller?
• When should I flow the original caller’s identity to back-end resources?
• How do I migrate to WCF from an ASMX web service?
• How do I migrate to WCF from a COM application?
• How do I migrate to WCF from a DCOM application?
• How do I migrate to WCF from a WSE application?

Auditing and Logging

• What WCF Service security events should be logged?
• How do I enable logging and auditing in WCF?
• How do I enable auditing in WCF?
• How do I stop my service if there has been an auditing failure?
• How do I log important business events in WCF?
• How do I implement log throttling in WCF?
• How do I use Health Monitoring Feature with WCF?
• How do I protect my log files?
• How to I pass user identity information in a message for auditing purpose?

Authentication

• How do I decide on an authentication strategy in WCF?
• When should I use brokered authentication?
• When should I use the SQL Server Membership provider?
• How do I authenticate against Active Directory?
• How do I authenticate against a SQL store?
• How do I authenticate against a custom store?
• How do I protect passwords in my user store?
• How do I use certificate authentication with X.509 certificates?
• What is the most common authentication scenario for intranet applications?
• What is the most common authentication scenario for internet applications?
• How do I support authentication for multiple client types?
• What is federated security?
• How do I send credentials in the message when I am using transport security?
• How do I avoid cleartext passwords?

Authorization

• How do I decide on an authorization strategy in WCF?
• What’s the difference between resource-based, roles-based and claims-based authorization?
• How do I use Windows groups for role authorization in WCF?
• How do I use the SQL Role provider for ASPNET role authorization in WCF?
• How do I use the Windows Token role provider for ASPNET role authorization in WCF?
• How do I use the Authorization Store role provider for ASPNET role authorization in WCF?
• What’s the difference between declarative and imperative roles authorization?
• How do I restrict access to WCF operations to specific Windows users?
• How do I associate roles with a certificate?
• What is a service principle name (SPN)?
• How do I create a service principle name (SPN)?

Bindings

• What is a binding?
• What bindings are available?
• Which bindings are best suited for the Internet?
• Which bindings are best suited for the Intranet?
• How do I choose an appropriate binding?
• Configuration Management
• How do I encrypt sensitive data in WCF configuration file?
• How do I run a WCF Service with a particular identity?
• How do I create a service account for running my WCF Service?
• When should I use a configuration file versus the WCF object model?
• What is a metadata exchange (MEX) binding?
• How do I keep clients from referencing my service?

Exception Management

• How do I implement a global exception handler?
• What is a fault contract?
• How do I define a fault contract?
• How do I avoid sending exception details to the client?

Hosting

• How do I configure a least privileged account to host my service?
• When should I host my service in IIS?
• When should I host my service in a Windows service?
• When should I self-host my service?
• Impersonation/Delegation
• What are my impersonation options?
• What is the difference between impersonation and delegation?
• How do I impersonate the original caller for an operation call?
• How do I temporarily impersonate the original caller in an operation call?
• How do I impersonate a specific (fixed) identity?
• What is constrained delegation?
• What is protocol transition?
• How do I flow original caller from ASP.NET client to WCF Service?
• What is the difference between declarative and programmatic impersonation?
• What is the trusted subsystem model?
• When should I flow the original caller to back-end code?
• How do I control access to a remote resource based on the original caller’s identity?

Input/Data Validation

• How do I implement input and data validation in WCF?
• What is schema validation?
• What is parameter validation?
• Should I validate before or after message serialization?
• How do I protect my service from denial of service attacks?
• How do I protect my service from malicious input attacks?
• How do I protect my service from malformed messages?
• Message Protection
• When should I use message security?
• When should I use transport security?
• How do I protect my message when there are intermediaries routing my message?
• How do I protect my message when there are multiple protocols used during message
• transit?
• How do I implement partial message encryption?

Proxy Considerations

• When should I use a channel factory?
• When do I need to expose a metadata exchange endpoint for my service?
• How do I avoid proxy spoofing?

Sensitive Data

• How do I protect sensitive data in configuration files?
• How do I protect sensitive data in memory?
• How do I protect my metadata?
• How do I protect sensitive data from being read on the wire?
• How do I protect sensitive data from being tampered with on the wire?
• How do I authenticate a message was sent by the expected sender?
• How do I encrypt data within my message?

X.509 Certificates

• How do I create X.509 certificates?
• Do I need to create a certificate signed by the root CA certificate?
• How do I use X.509 certificate revocation?
• How do I authenticate users with X.509 certificates, and then perform role-based access control using an Active Directory domain?

Deployment Considerations

• What are the additional considerations for using WCF in a webfarm?
• How do I configure WCF for NATs and Firewalls?
• How do I configure Active Directory groups and accounts for role-based authorization checks?
• How do I create an X.509 certificate?
• When should I use a Service Principle Name (SPN)?
• How do I configure a least privileged account for my service?

My Related Posts

• patterns & practices WCF 3.5 Security Guidelines Now Available
• patterns & practices WCF Security Guidance: Updated Application Scenarios
• patterns & practices WCF Security Application Scenarios
• patterns & practices WCF Security Guidance Now Available